Cuckoo Sandbox

File tcmd1151x32.exe

Summary
Download Resubmit sample

Size	5.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
MD5	`f6058757b01d379f3f4d7989b31f0acf`
SHA1	`afab94efb8757f109da04d58fed437fcbcd7645a`
SHA256	`47d5c3f9a10a785d868c165dcea52af7cb90dbf340eb64d601c1cb83ef6b0157`
SHA512	`768eb931c5c28fc1041f918b380dd4adcc1a5c04931e2f22cf4c460e78656818e4a8fb602f730b98bbb0e925aa5262a2f7c6ca97aafcb8c3a23ff52f58d90d0f`
CRC32	`0CA4129C`
ssdeep	`None`
Yara	disable_antivirus - Disable AntiVirus escalate_priv - Escalade priviledges screenshot - Take screenshot keylogger - Run a keylogger win_registry - Affect system registries win_token - Affect system token win_private_profile - Affect private profile win_files_operation - Affect private profile

Score

This file shows numerous signs of malicious behavior.

The score of this file is 4.1 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	June 15, 2025, 12:42 p.m.	June 15, 2025, 12:43 p.m.	67 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-06-15 12:42:28,000 [analyzer] DEBUG: Starting analyzer from: C:\tmpt1gcja
2025-06-15 12:42:28,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\EjsSrkruWECLhmmHgtinrCUFpJ
2025-06-15 12:42:28,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\MoQsUUdcpzwxZaCNsjZWZrAVAP
2025-06-15 12:42:28,265 [analyzer] DEBUG: Started auxiliary module Curtain
2025-06-15 12:42:28,265 [analyzer] DEBUG: Started auxiliary module DbgView
2025-06-15 12:42:28,655 [analyzer] DEBUG: Started auxiliary module Disguise
2025-06-15 12:42:28,858 [analyzer] DEBUG: Loaded monitor into process with pid 508
2025-06-15 12:42:28,858 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-06-15 12:42:28,858 [analyzer] DEBUG: Started auxiliary module Human
2025-06-15 12:42:28,858 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-06-15 12:42:28,858 [analyzer] DEBUG: Started auxiliary module Reboot
2025-06-15 12:42:28,953 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-06-15 12:42:28,967 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-06-15 12:42:28,967 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-06-15 12:42:28,967 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-06-15 12:42:29,187 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\tcmd1151x32.exe' with arguments '' and pid 1140
2025-06-15 12:42:29,358 [analyzer] DEBUG: Loaded monitor into process with pid 1140
2025-06-15 11:43:26,101 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-06-15 11:43:26,335 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 1140.
2025-06-15 11:43:26,664 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-06-15 11:43:26,664 [lib.api.process] INFO: Successfully terminated process with pid 1140.
2025-06-15 11:43:26,680 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-06-15 12:42:29,455 [cuckoo.core.scheduler] INFO: Task #6556656: acquired machine win7x642 (label=win7x642)
2025-06-15 12:42:29,456 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.202 for task #6556656
2025-06-15 12:42:29,662 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 1393851 (interface=vboxnet0, host=192.168.168.202)
2025-06-15 12:42:32,110 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x642
2025-06-15 12:42:32,509 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x642 to vmcloak
2025-06-15 12:42:48,015 [cuckoo.core.guest] INFO: Starting analysis #6556656 on guest (id=win7x642, ip=192.168.168.202)
2025-06-15 12:42:49,021 [cuckoo.core.guest] DEBUG: win7x642: not ready yet
2025-06-15 12:42:54,051 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x642, ip=192.168.168.202)
2025-06-15 12:42:54,129 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x642, ip=192.168.168.202, monitor=latest, size=6660546)
2025-06-15 12:42:55,884 [cuckoo.core.resultserver] DEBUG: Task #6556656: live log analysis.log initialized.
2025-06-15 12:42:56,697 [cuckoo.core.resultserver] DEBUG: Task #6556656 is sending a BSON stream
2025-06-15 12:42:57,180 [cuckoo.core.resultserver] DEBUG: Task #6556656 is sending a BSON stream
2025-06-15 12:42:57,976 [cuckoo.core.resultserver] DEBUG: Task #6556656: File upload for 'shots/0001.jpg'
2025-06-15 12:42:57,985 [cuckoo.core.resultserver] DEBUG: Task #6556656 uploaded file length: 72123
2025-06-15 12:43:10,541 [cuckoo.core.guest] DEBUG: win7x642: analysis #6556656 still processing
2025-06-15 12:43:25,640 [cuckoo.core.guest] DEBUG: win7x642: analysis #6556656 still processing
2025-06-15 12:43:26,548 [cuckoo.core.resultserver] DEBUG: Task #6556656: File upload for 'curtain/1749980606.54.curtain.log'
2025-06-15 12:43:26,551 [cuckoo.core.resultserver] DEBUG: Task #6556656 uploaded file length: 36
2025-06-15 12:43:26,672 [cuckoo.core.resultserver] DEBUG: Task #6556656: File upload for 'sysmon/1749980606.66.sysmon.xml'
2025-06-15 12:43:26,678 [cuckoo.core.resultserver] DEBUG: Task #6556656 uploaded file length: 146164
2025-06-15 12:43:26,921 [cuckoo.core.resultserver] DEBUG: Task #6556656: File upload for 'shots/0002.jpg'
2025-06-15 12:43:26,931 [cuckoo.core.resultserver] DEBUG: Task #6556656 uploaded file length: 134048
2025-06-15 12:43:26,945 [cuckoo.core.resultserver] DEBUG: Task #6556656 had connection reset for <Context for LOG>
2025-06-15 12:43:28,653 [cuckoo.core.guest] INFO: win7x642: analysis completed successfully
2025-06-15 12:43:28,666 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-06-15 12:43:28,698 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-06-15 12:43:29,311 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x642 to path /srv/cuckoo/cwd/storage/analyses/6556656/memory.dmp
2025-06-15 12:43:29,312 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x642
2025-06-15 12:43:36,270 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.202 for task #6556656
2025-06-15 12:43:36,637 [cuckoo.core.scheduler] DEBUG: Released database task #6556656
2025-06-15 12:43:36,658 [cuckoo.core.scheduler] INFO: Task #6556656: analysis procedure completed

Signatures

Yara rules detected for file (8 events)

description	Disable AntiVirus	rule	disable_antivirus
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 15, 2025, 1:42 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Harvests credentials from local FTP client softwares (4 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Ghisler\Windows Commander
registry	HKEY_CURRENT_USER\SOFTWARE\Ghisler\Windows Commander
registry	HKEY_CURRENT_USER\SOFTWARE\Ghisler\Total Commander
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Ghisler\Total Commander

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress June 15, 2025, 1:42 p.m.	ordinal: 0 function_address: 0x0041cc58 function_name: wine_get_version module: ntdll module_address: 0x77a40000		3221225785	0